3 Vulnerable Plugins: 400,000 WordPress Sites Exposed

3 Vulnerable Plugins: 400,000 WordPress Sites Exposed

On January 7, two separate research teams identified vulnerabilities in three WordPress plugins that affected 400,000 websites combined.

WebARX cybersecurity researchers alerted the developer of InfiniteWP Client and WP Time Capsule of vulnerabilities in their plugins. Whereas Wordfence found a similar vulnerability in WP Database Reset.

According to these researchers, some logical issues in the plugin codes made it easy for anyone to access admin accounts without passwords. Specifically, this issue affects versions of

  • InfiniteWP below 1.9.4.5
  • WP Time Capsule versions below 1.21.16
  • WP Database Reset below 3.15.

Vulnerabilities of InfiniteWP Client

As an admin, InfiniteWP Client allows you to use a single server to manage multiple WP websites. 

So any attacker with JSON and Base64 encoding can use a POST request payload to log in with only an admin’s username. Then it’ll be easy to carry out any malicious intent, which includes adding or deleting accounts.

The image below shows the vulnerable InfiniteWP Client code.

The WP plugins library reports that InfiniteWP Client is active on more than 300,000 websites. So this vulnerability affects 75 percent of all the exposed websites.

Vulnerabilities of WP Time Capsule

When create new content or add new codes to your websites, WP Time Capsule creates database entry and backups for your files. So, it saves all the changes that happen on your WP site automatically. As well as the over 20,000 domains that use the plugin. 

An attacker can exploit WP Time Capsule below versions 1.21.16 by inserting a crafted string in a raw POST request. The aim is to hijack all available administrator accounts and be the first admin on the list to log in. 

The image below shows WP Time Capsule’s vulnerable version.

Vulnerabilities of WP Database Reset

WP Database Reset is a handy tool for administrators who run tests on their websites. This plugin lets you reset your website’s database tables to the state of a freshly installed WordPress. So you can always start over without needing to reinstall WordPress.  

The plugin has two vulnerabilities. One vulnerability allows unauthenticated users to reset tables in the database to their initial state. An action that can lead to a total site reset, takeover, or both.

Whereas the second vulnerability allows authenticated users to assign administrative roles to their account regardless of their initial level of permission. Thereby locking all other users out.

The update that patches both vulnerabilities of this plugin is version 3.15 which can help the 80,000 websites using this plugin.


The Response

When the researchers from WebARX reported these vulnerabilities to the developer of the first two plugins, they got a quick response. The developer made a software update available just one day after the report.

The developers’ patched the plugins by

  • Removing some function calls
  • Tweaking action codes, and 
  • Adding payload authenticity checks

Experts warn that firewall protections won’t work. Hence, users should update to the latest versions of all three plugins immediately.

Is Your Host More Vulnerable than Your Plugin?

Plugins may have vulnerabilities, but your site host may open you up to even more attacks. Up to 41 percent of WordPress site vulnerabilities come from hosts.

Hence, beyond plugin patches and upgrades, you want to ensure that you’re using a secure web host. That’s where HostScore comes in. We help you track the performance data of website hosts, understand how site performance influences you, and decide the best hosting plan for your business.

author avatar

Author Profile

Nicholas Godwin tells profitable brand stories that tech buyers and businesses love. He is a digital marketing consultant and technology researcher and regularly works on projects for Fortune 500 companies, global tech corporations, and top consulting firms, from Bloomberg Beta, Accenture, PwC, and Deloitte to HP, Shell, and AT&T. Catch him on Twitter @Donglitzie